Such a method could prove useful in defending against the swarm of W-2 phishing attacks that plagued the likes of Seagate, Snapchat and Sprout Farmers Market this year. In each case a lower level worker responded to what was thought to be a request from a supervisor asking for employee W-2 information.
Apparao says criminals sneakily use cloud services to create these fake emails knowing that security software keys detection on whether or not the originating domain is safe. If it sees the email came from an Amazon Web Service server it is likely to let it pass.
And a defense against business email compromise attacks is desperately needed. In a report issued earlier this year, the FBI reported that between October 2013 and February 2016 nearly 18,000 global businesses collectively lost $2.3 billion to business email compromise scams, whereby cybercriminals pose as company executives, attorneys or reputable vendors to trick employees into transferring corporate funds into fraudulent accounts.
While the general consensus says it will take a combination of technology and employee training to curb the impact of socially engineered attacks, there is also a downside to creating this situation. Employees, particularly younger workers, might slack off if they know there are layers of security software backing them up.
“What makes people susceptible is they have too much faith in the technology protecting them, “ Wallace says, adding that younger people who have less experience in the workplace are more likely to fall victim to an attack, whereas older workers are just not as trusting of both the technology and the world around them.
Area 1's Mohan says employees' high level of interaction with social media sites – ranging from LinkedIn to Facebook and all those in between – have created a fertile feeding ground for hackers looking for personal information that can be used as bait in their spearphishing attacks, with business sites particularly in the crosshairs.
“We feel the criminals are using LinkedIn as their tool of choice to find information,” Apparao says.
Companies should also stress that being aware of what one broadcasts to the world on social media has the dual effect of being good for potential attackers.
SCAMS: Let's go phishing
If one were to go by the sheer number of successful phishing attacks pulled off so far in 2016, it would seem as if all corporate employees had a huge “S” for sucker tattooed on their foreheads.
In March, a Seagate worker happily handed over the W-2 information for all 52,000 current and former employees to someone who did not work at the company. Just behind Seagate was Sprouts Farmers Market where 21,000 workers had their tax information stolen. Meanwhile, in April, Brunswick Corp., which owns the well-known Boston Whaler and Mercury Marine brands, was victimized to the tune of 13,000 worker W-2s.
Universities and colleges were proved to not be very smart when it came to sussing out real from faux email requests. Solano and Tidewater community colleges were each hit, but were in good company as the University of Virginia gave up the W-2 info on 1,400 employees.
However, some criminals decided to cut out the middle man and simply spoof workers into sending cold, hard cash out of the company coffers and into their bank accounts. The largest such incident involved an unnamed company that sent $100 million to a crafty crook who convinced them to change some direct deposit account numbers used to pay for goods to his own bank. Luckily, $75 million was recovered.
Toy maker Mattel fell for a similar scam, sending $3 million to an unknown entity, again recovered, and in late April, Pomeroy Investment Corp., of Troy, Mich., lost $495,000.